 | Everyone,
I've looked through various archives and haven't found what I'm looking
for. If an answer to my question exists, please accept my apology for
redundant posts and point me in the right direction. My dilemna is as
follows:
What I'm trying to do is allow multiple IPs from the Internet (lets say
123.1.1.10 and 200.1.1.100, connecting to tcp port 25), then dnat those
Internet IPs to two different IP ranges on different networks (say
10.1.1.25-10.1.1.35 and 192.168.50.25-192.168.50.35). Listed below is
a sanitized example of what I'm using (ips have been changed). All
sections listed below work perfectly when I'm using dnat to target one
network range (say 10.1.1.25-10.1.1.35); however, if I try adding in
the second IP range (192.168.50.25-192.168.50.35), this breaks the
process. I need to preserve the round robin approach just in case
destination server is having issues. With this in mind, can someone
let me know if I can dnat the inbound IPs to two differnt network
ranges using the approach shown below? If so, what do I need to
change. I've tried lots of different ways to do this and none work.
Thanks in advance,
Greg
## section 1
for ips in `grep -v "^#" /fake/mnt/test_smtp_ips`; do
$IPTABLES -t mangle -A PREROUTING -p tcp \
-s $ips \
--destination-port 25 \
-m state --state NEW,RELATED,ESTABLISHED \
-j MARK --set-mark 11111
done
## section 2
$IPTABLES -A FORWARD -m mark --mark 11111 -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
## section 3
$IPTABLES -t nat -A PREROUTING \
-m mark --mark 31337 \
-j DNAT \
--to-destination 10.1.1.25-10.1.1.35
## section 4
$IPTABLES -t nat -A POSTROUTING -m mark --mark 11111 \
-j SNAT \
--to-source $IP_ADDRESS
|
|
